GHSA-m87f-9fvv-2mgg

Suggest an improvement
Source
https://github.com/advisories/GHSA-m87f-9fvv-2mgg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-m87f-9fvv-2mgg/GHSA-m87f-9fvv-2mgg.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-m87f-9fvv-2mgg
Aliases
Published
2021-09-13T20:05:39Z
Modified
2024-10-09T21:10:38.640681Z
Severity
  • 8.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L CVSS Calculator
  • 5.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L CVSS Calculator
Summary
Deserialization of Untrusted Data in parlai
Details

Impact

Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks.

Patches

The issue can be patched by upgrading to v1.1.0 or later. It can also be patched by replacing YAML deserialization with equivalent safe_load calls.

References

  • https://github.com/facebookresearch/ParlAI/commit/507d066ef432ea27d3e201da08009872a2f37725
  • https://github.com/facebookresearch/ParlAI/commit/4374fa2aba383db6526ab36e939eb1cf8ef99879
  • https://anon-artist.github.io/blogs/blog3.html
Database specific
{
    "nvd_published_at": "2021-09-10T23:15:00Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-13T19:10:21Z"
}
References

Affected packages

PyPI / parlai

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.0

Affected versions

0.*

0.1.20200409
0.1.20200416
0.1.20200610
0.1.20200713
0.1.20200716
0.8.0
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.10.0

1.*

1.0.0